Published via GitHub Executive Insights | Authored by Dave Burnison

Welcome to the January, 2026 edition of the GitHub Monthly Enterprise Roundup (MER). This edition spotlights a significant reduction in hosted runner pricing for GitHub Actions—delivering up to 39% savings for enterprise CI/CD workloads, and actionable guidance to secure CI/CD infrastructure & workflows. Are you struggling to adopt AI in software development across your organization? Check out resources such as "GitHub’s Internal AI Adoption Playbook", "Five unexpected wins when you roll out AI systematically" and "Want better AI outputs? Try context engineering". You will find numerous links to expert guidance, documentation, and podcasts, ensuring teams can quickly access the latest CI/CD, security and AI innovations and product advancements to strengthen their environments and stay ahead of emerging threats.

We don't expect you to read every word. Skim through the topics that apply to how you use GitHub and dig into links that are the most relevant to you. Any one person will not read every link in this post but, across your team, every link may be read by at least one of your team members. Pass this MER along to your colleagues or pass along specific links that will be beneficial to others. Suggestion: point your favorite AI tool to this post and ask the tool to create a short list for you based on your role and specific interests.

The audience for the MER is anyone in enterprise software development so, there is a wide range of information here. To get a more personalized subset, try this: Open up your favorite AI tool, (e.g. ChatGPT, Microsoft Copilot, etc.) and ask the tool to provide you a list of links that you should explore. For example: 

• My role is to facilitate AI adoption within software development across our entire organization. Based on the links found on this web page, create a list of the links that I should explore. 

• My role is to manage DevOps and security tooling within software development across our entire organization. Based on the links found on this web page, create a list of the links that I should explore. 

• My role is to explore how to increase developer productivity within software development across our entire organization. Based on the links found on this web page, create a list of the links that I should explore. 

• My role is to manage builds, automated tests and deployments within software development across our entire organization. Based on the links found on this web page, create a list of the links that I should explore.

Let us know if this approach works for you. We would also like to know what prompt you use to get a list of links tailored to your role and interests. Please provide your feedback here: January ‘26 enterprise roundup - community · Discussion.

Prefer to get updates through podcasts? Check out the GitHub at Work Podcast. 

Want to get notified of when the next MER is available? Go to GitHub Enterprise on LinkedIn and click on the "Follow" button. In addition to MER notifications you'll be notified when new episodes of GitHub at Work Podcast and other enterprise focused content becomes available. 

GitHub Platform

We have been listening to our enterprise customers for years regarding enterprise management & governance. We are excited to share product updates and new guidance to assist those who manage GitHub for hundreds if not thousands of stakeholders. This month new guidance from https://wellarchitected.github.com to help keep development and CI/CD environments secure and guidance on enterprise adoption of AI are at the top of the list.

General 

• 🗣️ Locking Down GitHub Enterprise: A Security-First Approach that Actually Works: Our CSA codified the security practices that actually work in the real world – the ones I walk through with customers who are serious about protecting their intellectual property without sacrificing developer productivity. Think of this as your GitHub Enterprise security implementation guide, presentation deck, and sanity-preservation manual all rolled into one. 

• 📐 Securing the developer workspace - Developer workspaces are a critical security boundary—if compromised, they can expose source code, inject malicious code, and trigger supply chain attacks. This guidance explains how to minimize risk through strong identity controls, workspace isolation, least privilege, secure dependency management, and AI-assisted development safeguards. Understanding these practices is essential to protect your organization’s code integrity and prevent vulnerabilities from entering production.

• 📐 Securing GitHub Actions Workflows - CI/CD pipelines are a prime target for attackers, and insecure GitHub Actions workflows can expose your entire codebase and infrastructure. This guide explains critical strategies—like enforcing least privilege, pinning actions to immutable versions, and using OIDC authentication—to eliminate common attack vectors and protect against supply chain risks. If you manage enterprise workflows, these practices are essential to prevent privilege escalation, injection attacks, and compromised dependencies at scale.

• 🎧 A Month for Reflection and Improvements | GitHub at Work Podcast - We dive into the biggest post-Universe improvements shaping GitHub’s future—from major updates to the GitHub Coding agent to enterprise-level controls for AI governance, budgeting, and access restrictions. You’ll also hear about Claude Haiku 4.5 going GA across all IDEs and new CodeQL capabilities for Rust, making this a must-listen for leaders focused on developer productivity, security, and governance. If you want to understand how these changes impact your workflows and strategy, this episode is for you.

• 🚢 GitHub Enterprise Cloud data residency in Japan is generally available - Meet compliance and data sovereignty requirements with GitHub Enterprise Cloud data residency now generally available in Japan, ensuring your code and repository data remain within specified geographic boundaries.

• 🚢 Teams management now moved to Settings - Navigate team administration more intuitively with teams management now centralized in the Settings page, streamlining organizational structure management for enterprise administrators.

• 🚢 Enterprise teams product limits increased by over 10x - Scale team management to unprecedented levels with limits expanded to 2,500 enterprise teams per enterprise and 5,000 users per team, empowering large organizations to structure access control, governance, and Copilot licensing across massive workforces.

• 🚢 Controlling who can request apps for your organization is now generally available - Organizations can now enforce stricter governance by choosing who can request GitHub Apps or OAuth apps, ensuring all third-party integrations undergo proper approval and security review.

• 🚢 Repository dashboard: Find, search, and save queries in preview - Discover and organize repositories more effectively with the new repository dashboard featuring advanced search, filtering by custom properties, and saved queries, helping enterprises manage large repository portfolios with ease.

• 🚢 Repository custom properties: GraphQL API and URL type - Automate repository metadata management at scale using the new GraphQL API support for custom properties with URL validation, enabling advanced governance workflows and eliminating REST API rate-limit challenges for large enterprises.

• 🚢 More accurate Copilot Autofix usage metrics on security overview - Improved metrics now give you clearer visibility into how Copilot Autofix reduces security debt and prevents vulnerabilities from merging into your codebase.

• 🚢 Enterprise governance and policy improvements for secret scanning - Strengthen secret protection at scale with enterprise governance enhancements including delegated bypass controls for push protection and Enterprise Security Manager support, giving security teams centralized oversight while maintaining developer velocity.

• 🚢 Review commit-by-commit, improved filtering, and more in the pull request files changed public preview - Accelerate code reviews with commit-by-commit review capabilities and enhanced filtering directly in the Files Changed view, keeping reviewers focused without context switching for more efficient collaboration.

• 🚢 GitHub Changelog - GitHub Platform, December, 2025 - Skim through all of the GitHub Platform related changes from December. 

GitHub Copilot & AI

• 🌐 LinkedIn: Five unexpected wins when you roll out AI systematically - Is your enterprise rushing to implement AI without a clear strategy? When a Microsoft team (Dynamics 365) took a deliberate, systematic approach to their AI rollout, they uncovered Five Unexpected Wins that created lasting value beyond just the tools themselves. Learn how prioritizing foundational best practices and systems thinking led to: 1) Process clarity and focus, 2) Permanent operational assets, 3) Accelerated stakeholder alignment. Stop chasing the "AI rush." Read the case study to discover the blueprint for systematic success.

• 🌐 LinkedIn: GitHub’s Internal AI Adoption Playbook & https://github.com/github/ai-adoption-playbook - At GitHub, we believe the future of work isn't just about building AI tools, it's about empowering people to use them. As we've navigated our own AI transformation, we've learned that the hardest part isn't the technology. It's the change management. We created this repository to share our journey with you. These aren't abstract frameworks or untested theories—they're the real strategies, lessons, and sometimes hard-won insights from GitHub's AI for Everyone initiative. We're opening up our internal playbook because we believe the best way to accelerate AI adoption across the industry is to learn from each other.

• 📺 Transforming Engineering Leadership with AI and Metrics (31:36) - Join GitHub's Andrea Griffiths and Jeff Keyes, Field CTO at Allstacks, to explore how the Intelligence Engine and AI-powered deep research agents help senior leaders optimize engineering investments and improve project predictability. We break down why most AI adoption falls short, address real challenges, and discuss how to measure what actually matters: alignment and ROI. Learn how to speak the language of business, move beyond vanity metrics and dashboards, and use data-driven insights to eliminate bottlenecks across your entire development pipeline.

• 🚢 Track Copilot code generation metrics in a dashboard - You can now track how GitHub Copilot is impacting your enterprise development—down to lines added or deleted by users versus agents and broken out by model and language—enabling data-driven insights into AI-assisted productivity trends.

• 📄 Viewing the code generation dashboard - You can monitor how Copilot is generating code across your enterprise, including activity from both users and agents, through the code generation dashboard. This visibility helps you understand adoption trends, compare user-driven and agent-driven development, and analyze activity by model and language to guide governance and optimization strategies. Knowing this ensures you can make informed decisions about AI-assisted development and enforce enterprise policies effectively.

• 🚢 Track organization Copilot usage - Uncover how your organization is truly using Copilot—dive into aggregated and user‑specific API metrics on feature adoption, engagement patterns, and usage trends to drive data‑informed decisions and maximize ROI.

• 🚢 Enterprise-level pull request activity now included in Copilot Usage Metrics in public preview - Enterprise leaders gain daily, enterprise‑wide insight into how human and Copilot-driven pull request creation and review patterns are shaping real development velocity, enabling sharper decisions on workflow optimization and AI adoption across their engineering organization.

Developer Skills

General developer expertise based on our own experience and the collective experience of our customers and partners. It's time to start diving into how AI is going to work along side of you to make you a better, more productive developer not, replace you. Check out the new posts 📢, documentation 📄, and articles 📚 to see how AI can make you an awesome developer and guidance for how large enterprises should approach adopting AI. 

• 📢 & 📺 The new identity of a developer: What changes and what doesn't in the AI era (3:40) - Advanced AI tools are fundamentally redefining what it means to be a developer—shifting roles from direct code producers to orchestrators who delegate tasks to AI and verify results. This post explores how cloud-native platforms, AI collaboration, and security-first workflows are reshaping developer identity, while core problem-solving skills remain essential. Development leaders will gain insights into how to prepare their teams for this transition and what capabilities matter most in the AI-fluent engineering era.

• 📢 Speed is nothing without control: How to keep quality high in the AI era - AI tools dramatically accelerate development velocity, but without proper guardrails, speed creates technical debt and reliability issues faster than ever before. This post introduces GitHub Code Quality (powered by CodeQL) and practical strategies for maintaining code reliability, security, and maintainability while leveraging AI acceleration. For engineering leaders balancing delivery speed with sustainable quality, this article provides the framework for successful AI-augmented development at enterprise scale.

• 📄Using innersource in your enterprise - Adopting innersource practices can transform how your teams collaborate by making internal projects discoverable, reusable, and easier to maintain. This approach reduces duplicated effort, accelerates development, and fosters a culture of shared ownership without compromising security. Understanding these best practices ensures your enterprise can scale innovation while maintaining control over sensitive information.

• 📢 & 📺 Why AI is pushing developers toward typed languages (4:32) - AI-powered coding tools are driving a dramatic shift toward statically typed languages like TypeScript, which now leads as GitHub's most-used language. Type systems serve as essential guardrails for AI-generated code, catching errors early and providing the structural contracts that enable safe collaboration between human developers and AI agents. For teams integrating AI into their workflows, understanding why typed languages have become the safety net for machine-assisted development is critical to building reliable, scalable systems.

GitHub Copilot

Recent advancements and feature updates for GitHub Copilot, with a particular focus on the coding agent and agentic code review. Checkout the guidance on how to get the kind of output from GitHub Copilot you want and need to drive real business value.

GitHub Copilot coding agent

• 📢 & 📺 Want better AI outputs? Try context engineering (16:11) - Context engineering—the next evolution of prompt engineering—helps you shape AI outputs by giving Copilot the rules, workflows, and specialized agents it needs to match your architecture and standards. Learn why adding custom instructions, reusable prompts, and task-specific agents isn’t just about better code—it’s about reducing friction, improving consistency, and transforming how your team builds software.

• 📢 WRAP up your backlog with GitHub Copilot coding agent - Master the WRAP framework (Write effective issues, Refine instructions, Atomic tasks, Pair with the agent) to transform GitHub Copilot from a coding assistant into an autonomous backlog-clearing machine. This practical guide shows enterprise teams how to structure issues and instructions so Copilot can handle routine tasks, technical debt, and bug fixes end-to-end—freeing developers for strategic work. Learn how to assign issues to Copilot just like a human developer and get production-ready pull requests with minimal oversight.

• 📢 Speed is nothing without control: How to keep quality high in the AI era - AI tools dramatically accelerate development velocity, but without proper guardrails, speed creates technical debt and reliability issues faster than ever before. This post introduces GitHub Code Quality (powered by CodeQL) and practical strategies for maintaining code reliability, security, and maintainability while leveraging AI acceleration. For engineering leaders balancing delivery speed with sustainable quality, this article provides the framework for successful AI-augmented development at enterprise scale.

• 🗣️ GitHub AI Agents Explained: How Intelligent Assistants Are Changing Software Development: GitHub AI agents are redefining software development by moving beyond simple code suggestions to become autonomous collaborators that can plan, code, test, and review within your workflow. Read about the benefits, how they work, and how to create your first GitHub AI agent in our community blogpost. 

• 📺 Manage all Copilot agents in one place with Mission Control (7:21) - This video introduces the recently released Mission Control view for GitHub Copilot. Discover how you can assign, monitor, and steer all Copilot agent tasks in one centralized place—empowering your team to work faster, collaborate more effectively, and stay in control across web, editor, and mobile environments.

• 📄 Modernizing Java applications with GitHub Copilot - Modernizing Java applications is critical for reducing technical debt and accelerating adoption of modern frameworks, but manual upgrades are time-consuming and error-prone. GitHub Copilot’s app modernization extension automates code analysis, dependency updates, and containerization, while generating upgrade plans and reports to ensure secure, consistent results. This approach helps teams streamline migrations, improve code quality, and deploy confidently to cloud environments.

• 🗣️ From COBOL to Cloud: 5 Banking Labs with Copilot Agent Mode: We’re sharing five standalone, banking-themed labs designed specifically to showcase Agent mode’s strength establish a repeatable pattern that teams can apply to real modernization programs. 

• 🚢 Assigning GitHub Copilot to an issue now adds you as an assignee - Streamline issue tracking and accountability by automatically becoming an assignee when delegating work to Copilot, ensuring clear ownership and visibility across enterprise development teams.

• 🚢 GitHub Copilot now supports Agent Skills - Empower your development teams to teach Copilot specialized, repeatable tasks through Agent Skills, enabling domain-specific automation that aligns with your enterprise's unique workflows and coding standards. 

Agentic Code Review

• 🚢 Copilot code review now available for organization members without a license - Democratize AI-powered code review across your entire organization as Copilot code review becomes available to all organization members regardless of individual license status, enabling comprehensive quality assurance and knowledge sharing at enterprise scale.

• 📄 About GitHub Copilot code review - The documentation has been updated to reflect the general availability of direct organization billing for premium request usage in Copilot Code Review. Organization members without a Copilot plan can now use Copilot Code Review on GitHub.com, with premium request usage billed directly to their organization or enterprise.

• 🚢 Copilot code review preview features now supported in GitHub Enterprise Cloud with data residency - Leverage AI-powered code review capabilities while maintaining compliance requirements through data residency support, now available for Enterprise Cloud customers with data residency enabled in Japan.

IDE Related GitHub Copilot Updates

• 🚢 Auto model selection is generally available in GitHub Copilot in Visual Studio Code - Auto model selection in Visual Studio Code now dynamically chooses the best available Copilot model at runtime—reducing rate‑limits, applying your policies, and giving paid users a 10% premium‑request discount—while keeping model transparency and control intact as it prepares to evolve for task‑aware optimization. NOTE: Today, auto routes you to readily available, high quality models on your behalf. Soon, auto will become even more intelligent, gaining enhanced capabilities that allow Copilot to select the most appropriate model for your task, matching the model to the complexity level of your request.

• 🚢 C++ code editing tools for GitHub Copilot in public preview - Enhance C++ development productivity in Visual Studio 2026 with specialized code editing tools now available in Copilot's public preview, bringing AI-powered refactoring and code generation capabilities to one of enterprise software's most critical languages.

GitHub Copilot - New Models

• 🚢 Gemini 3 Flash is now in public preview for GitHub Copilot - Experience Google's cutting-edge Gemini 3 Flash model in Copilot's public preview, bringing lightning-fast multimodal AI capabilities that understand code, images, and documentation together for more contextual and powerful development assistance.

• 🚢 Gemini 3 Flash is now available in Visual Studio, JetBrains IDEs, Xcode, and Eclipse - Unlock next-generation AI assistance with Gemini 3 Flash now available in public preview across major IDEs, bringing PhD-level reasoning capabilities and rapid code generation to enterprise developers.

• 🚢 Gemini 3 Pro is now available in Visual Studio, JetBrains IDEs, Xcode, and Eclipse - Gemini 3 Pro is now available in public preview enabling advanced ask, agent, and edit modes.

• 🚢 GPT-5.2 is now generally available in GitHub Copilot - Enterprise teams can now tap into dramatically faster, more context‑aware code generation and review capabilities that elevate developer throughput and unlock new automation patterns across large, complex organizations through next‑level AI reasoning performance.

• 🚢 GPT-5.1-Codex-Max is now generally available in GitHub Copilot - GPT‑5.1 Codex Max delivers a major leap in code understanding and long‑context reasoning, enabling engineering organizations to accelerate complex refactors, improve review quality, and unlock enterprise‑scale AI development workflows with far greater reliability.

• 🚢 GPT-5.1 and GPT-5.1-Codex are now generally available in GitHub Copilot - Harness OpenAI's latest breakthrough models with GPT-5.1 and GPT-5.1-Codex now generally available in Copilot, delivering unprecedented code generation accuracy and reasoning capabilities that elevate enterprise development productivity to new heights.

• 🚢 Claude Opus 4.5 is now generally available in GitHub Copilot - Access enhanced AI capabilities with Claude Opus 4.5 now available, delivering improved code generation and contextual understanding for sophisticated development workflows.

Additional GitHub Copilot Updates

• 🚢 The GitHub MCP Server adds support for tool-specific configuration, and more - Enable fine‑grained tool customization with X‑MCP‑Tools, tighten security via Lockdown mode and automatic content sanitization, and benefit from a full Go SDK migration for performance and future‑proofing.

• 📢 & 📺 MCP joins the Linux Foundation: What this means for developers building the next era of AI tools and agents (1:36) - Model Context Protocol (MCP), the open standard for AI agent interoperability, has been donated to the Linux Foundation's new Agentic AI Foundation—co-founded by Anthropic, Block, OpenAI, Google, Microsoft, and AWS. This move ensures neutral governance and accelerates the development of truly open protocols for agentic AI. Enterprise architects building multi-agent systems will benefit from understanding how MCP standardization reduces fragmentation and enables vendor-neutral AI tool integration.

• 🚢 Dynamic Copilot prompts on GitHub Docs - Accelerate learning and implementation with dynamic Copilot prompts integrated directly into GitHub Docs, providing context-aware AI assistance that helps developers quickly understand and apply platform features within their enterprise workflows.

• 🚢 GitHub Changelog - Copilot, December, 2025 - Skim through all of the Copilot changes from December.

CI/CD

Continuous Integration & Continuous Deployment with GitHub Actions. The big news this month is GitHub is slashing hosted runner prices by up to 39%. We also have new guidance on managing and securing your GitHub Actions workflows. If you are involved in managing and authoring GitHub Actions workflows you'll definitely want to dive into these updates.

• 📚 Pricing changes for GitHub Actions - GitHub is slashing hosted runner prices by up to 39% starting January 1, 2026—offering major savings for teams running CI/CD workloads at scale. As an enterprise software leader, this matters because it fundamentally shifts how you budget, govern, and optimize your CI/CD pipelines: while compute costs drop, orchestration costs are now explicit—making transparency and workflow efficiency essential to avoid surprises. Related Changelog posts: 

  • 🚢 Reduced pricing for GitHub-hosted runners usage 

  • 🚢 Update to GitHub Actions pricing

• 📢 Let's talk about GitHub Actions - GitHub Actions consumed 11.5 billion minutes in 2025 (35% YoY growth) and now handles 71 million jobs daily—triple pre-upgrade capacity—thanks to a complete backend re-architecture. This technical deep dive reveals how GitHub overcame infrastructure bottlenecks to deliver 7x faster job kickoff, rock-solid reliability, and the foundation for future enterprise features. If your organization relies on Actions for CI/CD at scale, understanding these architectural improvements explains the dramatic performance gains and sets expectations for what's coming next.

• 📐 Securing GitHub Actions Workflows - CI/CD pipelines are a prime target for attackers, and insecure GitHub Actions workflows can expose your entire codebase and infrastructure. This guide explains critical strategies—like enforcing least privilege, pinning actions to immutable versions, and using OIDC authentication—to eliminate common attack vectors and protect against supply chain risks. 

• 📐 Deploying Actions Runner Controller (ARC) - Deploying self-hosted runners at scale isn’t just about installing ARC—it requires deep Kubernetes expertise and careful planning to avoid security gaps, performance bottlenecks, and unexpected costs. This guide explains why Infrastructure as Code, cluster isolation, custom runner images, and zero-trust principles are critical for reliability and compliance. If your organization depends on GitHub Actions for production workloads, these recommendations can make the difference between a resilient, cost-effective system and one that fails under pressure.

• 🚢 Better diagnostics for VNET injected runners and required self-hosted runner upgrades - Improve reliability and troubleshooting for Azure VNET-injected runners with enhanced diagnostics while staying compliant with required self-hosted runner version upgrades, ensuring secure and performant CI/CD infrastructure for enterprise environments.

• 🚢 Improved performance for GitHub Actions workflows page - Manage complex CI/CD pipelines more efficiently with lazy loading and job filtering on workflow pages handling 300+ jobs, eliminating performance bottlenecks for enterprise-scale automation and improving troubleshooting workflows.

• 🚢 GitHub Changelog - Actions, December, 2025 - Skim through all of the security related changes from December. 

Security

Application security with GitHub, ensuring the code that lives in GitHub and the dependencies that go into the solutions you build are secure and do not contain any secrets.

Code Security

• 🚢 Code scanning alert assignees are now generally available - Code scanning alerts can now be assigned to individual developers or Copilot, with email notifications, webhook events, and REST API support enabling clear ownership and seamless integration into enterprise workflows to drive faster vulnerability remediation.

• 🚢 More accurate Copilot Autofix usage metrics on security overview - Improved metrics now give you clearer visibility into how Copilot Autofix reduces security debt and prevents vulnerabilities from merging into your codebase.

• 🚢 CodeQL 2.23.7 and 2.23.8 add security queries for Go and Rust - Strengthen your multi-language security scanning with new CodeQL queries for Go and Rust, expanding vulnerability detection and remediation capabilities across diverse enterprise codebases.

Secret Protection

• 🚢 Enterprise governance and policy improvements for secret scanning - Strengthen secret protection at scale with enterprise governance enhancements including delegated bypass controls for push protection and Enterprise Security Manager support, giving security teams centralized oversight while maintaining developer velocity.

Supply Chain Security

• 📢 Strengthening supply chain security: Preparing for the next malware campaign - GitHub introduces staged publishing—a critical new security model that gives package maintainers a review window with MFA-verified approval before packages go live to downstream users. With supply chain attacks escalating (referencing incidents like SolarWinds and Shai-Hulud), this post delivers actionable best practices for code reviews before publishing, strong authentication, and dependency monitoring. Essential for any organization managing open-source dependencies or publishing packages.

• 🚢 Require reviews before closing Dependabot alerts with delegated alert dismissal - Implement mandatory review workflows for Dependabot alert dismissals with delegated alert dismissal, ensuring security oversight and preventing vulnerabilities from being dismissed without proper evaluation by Code Security teams.

• 🚢 Dependabot-based dependency graphs for Go - Gain comprehensive visibility into your Go project dependencies with Dependabot-powered dependency graphs that provide accurate transitive dependency mapping, enhanced SBOMs, and improved supply chain security without incurring additional Actions minutes.

• 🚢 Conda ecosystem support for Dependabot version updates now generally available - Secure your data science and scientific computing workflows with Dependabot now fully supporting the Conda ecosystem, automatically detecting and updating package dependencies to protect against known vulnerabilities in Python and R environments.

• 🚢 Dependabot version updates now support Julia - Extend supply chain security to Julia projects with Dependabot's new support for automatic version updates, bringing enterprise-grade dependency management to scientific computing and high-performance technical applications.

• 🚢 Dependabot version updates now support Bazel - Enhance security for large-scale monorepo architectures with Dependabot's new Bazel support, automatically managing dependencies across complex build systems used by enterprises handling massive codebases.

• 🚢 Dependabot version updates now support OpenTofu - Secure your infrastructure-as-code workflows with Dependabot's new OpenTofu support, ensuring your Terraform-compatible configurations stay up-to-date with the latest security patches and feature improvements.

• 🚢 Dependabot security updates now support uv - Dependabot now automatically detects and remediates vulnerabilities in uv dependencies, helping teams maintain secure environments without manual intervention.

• 🗣️ Locking Down GitHub Enterprise: A Security-First Approach that Actually Works: Our CSA codified the security practices that actually work in the real world – the ones I walk through with customers who are serious about protecting their intellectual property without sacrificing developer productivity. Think of this as your GitHub Enterprise security implementation guide, presentation deck, and sanity-preservation manual all rolled into one. 

Additional Security Updates

• 📐 Securing the developer workspace - Developer workspaces are a critical security boundary—if compromised, they can expose source code, inject malicious code, and trigger supply chain attacks. This guidance explains how to minimize risk through strong identity controls, workspace isolation, least privilege, secure dependency management, and AI-assisted development safeguards. Understanding these practices is essential to protect your organization’s code integrity and prevent vulnerabilities from entering production.

• 📐 Securing GitHub Actions Workflows - CI/CD pipelines are a prime target for attackers, and insecure GitHub Actions workflows can expose your entire codebase and infrastructure. This guide explains critical strategies—like enforcing least privilege, pinning actions to immutable versions, and using OIDC authentication—to eliminate common attack vectors and protect against supply chain risks. If you manage enterprise workflows, these practices are essential to prevent privilege escalation, injection attacks, and compromised dependencies at scale.

• 🚢 GitHub Advanced Security trials now available for more GitHub Enterprise customers - Evaluate comprehensive security capabilities including code scanning, secret scanning, and dependency review through expanded self-serve trial access for Enterprise customers, accelerating your organization's security posture assessment.

• 🚢 GitHub Changelog - Security, December, 2025 - Skim through all of the security related changes from December. 

Engineering

An inside look at how we’re building the home for all developers. Resources based on our internal experiences. 

• 🌐 LinkedIn: Five unexpected wins when you roll out AI systematically - Is your enterprise rushing to implement AI without a clear strategy? When a Microsoft team (Dynamics 365) took a deliberate, systematic approach to their AI rollout, they uncovered Five Unexpected Wins that created lasting value beyond just the tools themselves. Learn how prioritizing foundational best practices and systems thinking led to: 1) Process clarity and focus, 2) Permanent operational assets, 3) Accelerated stakeholder alignment. Stop chasing the "AI rush." Read the case study to discover the blueprint for systematic success.

• 🌐 LinkedIn: GitHub’s Internal AI Adoptionlaybook & https://github.com/github/ai-adoption-playbook - At GitHub, we believe the future of work isn't just about building AI tools, it's about empowering people to use them. As we've navigated our own AI transformation, we've learned that the hardest part isn't the technology. It's the change management. We created this repository to share our journey with you. These aren't abstract frameworks or untested theories—they're the real strategies, lessons, and sometimes hard-won insights from GitHub's AI for Everyone initiative. We're opening up our internal playbook because we believe the best way to accelerate AI adoption across the industry is to learn from each other.

Legend

• 🌐 GitHub Universe 

• 📅 Events

• 📢 GitHub Blog

• 📺 GitHub on YouTube 

• 🚢 The GitHub Changelog 

• 📚 GitHub Resources 

• 📄 GitHub Docs

• 📐 GitHub Well-Architected

• 🗣️ GitHub public feedback & discussions

• 🎧 Podcasts such as GitHub at Work Podcast

• 🙋‍♂️ Training

• 💡 Executive Insights

• 🌐 Third Party Web Site

That’s it for the January '26 edition of the MER. Follow GitHub Enterprise on LinkedIn to see the next round of key updates. 

We want to hear from you! Did you find this curated list of updates from GitHub helpful? Do you have suggestions on how we can provide the information that is going to be the most useful and timely for your role? Visit the GitHub Community. January ‘26 enterprise roundup - community · Discussion